It’s hard enough sometimes just keeping up with the challenges of cybersecurity in the big headline-news cases – think SolarWinds in recent months or the Office of Personnel Management (OPM) intrusion several years back. But the more you talk with experts in cybersecurity, the more it becomes clear that exploitable gaps in the network armor are nearly limitless, and that plugging those gaps requires innovative security in the spaces that remain off the radar for many.
So, it was an eye-opener to meet last month with John Minasyan, Director of Product Management at the cybersecurity business unit of consumer electronics provider Belkin International, and talk about one area of security that represents many billions of possible individual attack vectors but remains an area that many may not appreciate.
That area is KVM – which is short for Keyboard, Video, Mouse. Think of it as cybersecurity in some of the smaller spaces – the physical spaces – that get less attention, but if left unprotected represent yawning gaps in the “east-west” vectors that are vital to attackers to spread through networks once they have broken through the outer layers.
What makes up the KVM category are the physical connections that tie together the elements of just about every kind of desktop computer, and all of the equipment that in turn connects to those machines.
Defending the East-West Vectors
“Whenever you talk about cybersecurity, it’s always in terms of layers of protection,” Minasyan said, “and how many layers you want to go to protect whatever asset you are trying to protect.”
“In our case, we come into play specifically to block a lateral movement option” which is part of a larger intrusion, he said.
“We combat insider threats a little bit, we combat human error that could lead to a breach, but what we really stop is a vector for an east-west attack of someone that’s already infiltrated your network,” and prevent attackers from being able to navigate to more and more critical assets, the Belkin official said.
“It’s a physical stop,” he explained. “It’s not logical code, it’s not AI, it’s bottom-line physics.”
“What we really do is block the ability to use the memory in your monitor to send messages back and forth without the user being aware,” Minasyan said. “We block the ability for a keyboard to have a recording device that captures your password, and we block a speaker on your desk connected to your computer from being turned into a microphone and eavesdrop on private conversations.”
Those vulnerabilities, he said, “are the threats on a desktop that a knowledgeable threat actor can take advantage of. We try to understand those and physically block them from being utilized.”
Enforcing the Air Gaps
Minasyan said the company’s KVM tech also helps to enforce “air gaps” – or physical separations – between systems whose security can be defeated by attaching different components, often as small as a flash drive.
Air-gap requirements, he said, “still exist, and I think in the more sophisticated networks – intelligence and military sort of networks – it’s very much enforced, to the point of standard operating procedures where folks are trained that some devices absolutely cannot touch a secure network.”
“USB flash drives and any other sort of USB device is an easy way to bridge that air gap and introduce whatever malware or virus have from one system to another,” Minasyan said. “We try to block a specific vector attack so that the USB port for a keyboard can only accept a compliant keyboard, and nothing else. The same for a compliant mouse, and nothing else.”
“Beyond that, we also emulate the USB signal back to the computer, so there’s no direct electrical connection from the keyboard, to a host computer, it’s all emulated,” he said. “And so if there are viruses, if there is malware that’s trying to permeate itself through, it has no place to go, because we basically filter it out.”
“We also have an optical data diode, because one of the things that you try to do with USB keys or thumb drives is extract confidential data from one system and store it onto a flash drive and walk out with it,” he said.
To thwart that kind of attempt, “all of the USB ports on these KVMs have optical data diodes that direct the flow of information in one direction, and never back from the computer and onto the system. So even if you have a computer that you’ve connected to that’s got a vulnerability, that vulnerability cannot make its way back to that shared peripheral, only to then jump on to the next system that you connect to.”
Critical Infrastructure Needs
While he said tight KVM security is more the norm in government agencies including law enforcement and military agencies, there’s also a good argument to be made to expand their use to some critical infrastructure sector like water utilities. Targets like these, Minasyan said, are “soft targets” for attackers, and have been so “for a very, very long time.”
“The Federal space almost mandates the use of these types of KVMs if you’re going to share peripherals among different systems,” he said, but added that in some portions of the utility sectors, “there is not the same fear that this sort of attack could be debilitating for us. And I think that’s a mistake that we’re allowing to continue.”
He added that Federal organizations – such as the North American Electric Reliability Corp. (NERC) – have the ability to influence what their utility customers do on the security front, and thus the opportunity to issue a “call to action” for government agencies to “take a step further and mandate” that some security improvements like KVM be implemented.